More and more organizations are using cloud service applications and resources as opposed to solely using on-premises applications and resources, (where “on-premises” refers to under the control of the organization, regardless of any physical location, in contrast to the cloud). As with on-premises applications and resources, users need credentials to access existing cloud services. Note that some (typically very small) organizations solely use the cloud for their credential-based identity infrastructure and applications, and thus use the cloud to handle credential-based authentication.
Very large organizations run a directory service on-premises (an example of which is Microsoft Corporation's Active Directory® including its domain controller servers) to authenticate users, and for applications to discover user accounts and relationships between accounts. Among other things, this allows such organizations to retain full control of their credential-related data for security purposes, rather than providing the data to the cloud. Large organizations use what (e.g., in an Active Directory® scenario) may be referred to as a federation/federation service, which contains mechanisms for individual users to leverage their on-premises credentials to access resources in the cloud. The credentials are not synchronized; instead, the cloud directs login requests and the like to an on-premises identity infrastructure for authentication, allowing a user to only sign-on once.
However, a federation is relatively very expensive to install and maintain, and thus only large organizations tend to use a federation. Many smaller organizations want to use the same username and password to access on-premises resources and applications as well as cloud resources and applications. Without the federation, however, some way to handle on-premises credentials and cloud credentials is needed.
One solution is to intercept the plaintext user password for transport to a target directory service. The plaintext user password may be replicated to all servers/databases in the identity infrastructure. However, this can be insecure, particularly when the cloud directory service is a target. Moreover, software needs to be configured on each server in the target directory service to capture all user password change events. Among other drawbacks, this is inefficient and inconvenient to maintain.
Many companies do not want to release on-premises credential data to the cloud for security reasons, which creates an authentication problem. One solution is to issue one set of credentials for users to access the cloud applications, and another to set of credentials for users to access the on-premise applications. This is also inefficient and inconvenient to maintain.